none
User Rights Assigment

    Question

  • Hello Technet Community:

    We run a small Windows 2008R2 Domain with Windows 7 Professional workstations.  We have a user, whom we would like to give elevated privileges to.  However, due to the nature of our environment, we want to limit what those privileges are.  In addition to providing elevated privileges we would like to be able to log the use of any elevated privileges this particular user executes on the Windows 7 workstations.  So I am looking for advice on what Group Policy Access Rights and Auditing Configuration I should be using to accomplish this task. 

    The specific tasks we would like this user to be able to do are:

    Stop & Start Windows Services
    Registers Extensions
    Run Batch Scripts
    Reboot Workstations Only (Not Servers)

    The specific task we don't want this user to be able to do is:

    Install Software using .exe or .msi

    Lastly, we would like to Audit when this person uses the rights he/she is being granted.  The Auditing is important to maintaining our security compliance.

    I do understand I can use Group Policy to control this, and I do understand the two areas in which I do this are:

    Computer Policy -> Windows Settings -> Local Policies -> User Rights Assignments

    Computer Policy -> Windows Settings -> Advanced Audit Policy Configuration - System Audit Policies

    However, I am not specifically sure which exact settings will accomplish this.

    Any guidance and help provided to me is greatly appreciated.

    Thanks.


    • Edited by Jasedace Thursday, September 8, 2016 1:26 PM Change title and add a little more detail.
    Thursday, September 8, 2016 1:14 PM

Answers

  • Hi Jasedace,

    Thanks for your post.

    For registers extensions, try to run the .bat script below.

    set __COMPAT_LAYER=RunAsInvoker
    start regedit.exe

    For more information, please refer to the article below.

    How to Run Applications Manifested as HighestAvailable With a Logon Script Without Elevation for Members of the Administrators Group

    https://blogs.msdn.microsoft.com/cjacks/2009/09/13/how-to-run-applications-manifested-as-highestavailable-with-a-logon-script-without-elevation-for-members-of-the-administrators-group/

    For Run Batch Scripts, based on my experience, domain users could run batch scripts by default.

    For Reboot Workstations Only (Not Servers), configure the setting Shut Down the system in GPO, and configure WMI filtering for workstations.

    The path of the setting: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assigns

    The configuration of WMI:

    select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"

    This query filters on both the product version number and the product type.

    Windows Server 2008 R2 or Windows 7              6.1%

    Windows Server 2012 R2 or Windows 8.1           6.3%

    ProductType 1 = desktop OS

    ProductType 2 =Server OS ---Domain controller

    ProductType 3 =Server OS ---Not a domain controller

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 9, 2016 7:29 AM
    Moderator

All replies

  • Hi,

    Please find the link which may help you.

    http://www.grouppolicy.biz/2010/08/how-to-use-group-policy-to-control-services/

    Thursday, September 8, 2016 1:34 PM
  • Thank you.  This looks like it will solve one aspect of my issue.

    But I still need to be able to:

    Registers Extensions
    Run Batch Scripts
    Reboot Workstations Only (Not Servers)

    While not being able to

    Install Software using .exe or .msi

    Thursday, September 8, 2016 1:41 PM
  • Hi,

    To run the Batch script follow the link

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/00475e0e-fe03-481b-9339-57c5a769d467/making-a-bat-run-silently-via-gpo?forum=ITCG

    Reboot Workstations Only (Not Servers)

    https://social.technet.microsoft.com/Forums/windows/en-US/3608dd77-3727-4cc6-b3c6-cfcf1a486a2a/restart-computers-via-gpo?forum=winserverGP

    Install Software using .exe or .msi

    https://social.technet.microsoft.com/Forums/sharepoint/en-US/0ea9886d-053a-4672-8b33-af75273f9900/how-to-deploy-exe-file-using-gpo?forum=winserverGP

    Good luck.

    Once your issue resolved dont forget to mark as Answer

    Thursday, September 8, 2016 1:53 PM
  • Hi Jasedace,

    Thanks for your post.

    For registers extensions, try to run the .bat script below.

    set __COMPAT_LAYER=RunAsInvoker
    start regedit.exe

    For more information, please refer to the article below.

    How to Run Applications Manifested as HighestAvailable With a Logon Script Without Elevation for Members of the Administrators Group

    https://blogs.msdn.microsoft.com/cjacks/2009/09/13/how-to-run-applications-manifested-as-highestavailable-with-a-logon-script-without-elevation-for-members-of-the-administrators-group/

    For Run Batch Scripts, based on my experience, domain users could run batch scripts by default.

    For Reboot Workstations Only (Not Servers), configure the setting Shut Down the system in GPO, and configure WMI filtering for workstations.

    The path of the setting: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assigns

    The configuration of WMI:

    select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"

    This query filters on both the product version number and the product type.

    Windows Server 2008 R2 or Windows 7              6.1%

    Windows Server 2012 R2 or Windows 8.1           6.3%

    ProductType 1 = desktop OS

    ProductType 2 =Server OS ---Domain controller

    ProductType 3 =Server OS ---Not a domain controller

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 9, 2016 7:29 AM
    Moderator
  • Hi,

    Are there any updates?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 19, 2016 3:06 AM
    Moderator